lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20080109221523.GA4890@galadriel.inutil.org>
Date: Wed, 9 Jan 2008 23:15:23 +0100
From: Thijs Kinkhorst <thijs@...ian.org>
To: debian-security-announce@...ts.debian.org
Subject: [SECURITY] [DSA 1457-1] New dovecot packages fix
	information disclosure

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1457-1                  security@...ian.org
http://www.debian.org/security/                          Thijs Kinkhorst
January 09, 2008                      http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : dovecot
Vulnerability  : programming error
Problem-Type   : remote
Debian-specific: no
CVE ID         : CVE-2007-6598

It was discovered that Dovecot, a POP3 and IMAP server, only when used
with LDAP authentication and a base that contains variables, could allow
a user to log in to the account of another user with the same password.

For the unstable distribution (sid), this problem has been fixed in
version 1.0.10-1.

For the stable distribution (etch), this problem has been fixed in
version 1.0.rc15-2etch3.

The old stable distribution (sarge) is not affected.

We recommend that you upgrade your dovecot packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian 4.0 (stable)
- -------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15.orig.tar.gz
    Size/MD5 checksum:  1463069 26f3d2b075856b1b1d180146363819e6
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch2.diff.gz
    Size/MD5 checksum:    95447 4252a81404254f52b5e6c94a4de4523a
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch3.diff.gz
    Size/MD5 checksum:    95500 0830883bb3ca7c2630997d965de70649
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch3.dsc
    Size/MD5 checksum:     1007 5191ee3012a0cc39733193c0a252390b
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch2.dsc
    Size/MD5 checksum:     1007 c3433847e48d110427082efcad604c01

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_alpha.deb
    Size/MD5 checksum:   618976 eb902859a167ebafb599e61924acf195
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_alpha.deb
    Size/MD5 checksum:  1374032 a3dcd337e6db9d0960c00bc338ef8ef2
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_alpha.deb
    Size/MD5 checksum:   580876 bea05f9a7ea34106b4c24d616cc04b32

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch2_amd64.deb
    Size/MD5 checksum:  1217404 d23db4b3ddd688c1fd2f1d071efbebb3
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch2_amd64.deb
    Size/MD5 checksum:   568628 7e1bdb2f9f1b22d9195df779dc3a2c51
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_amd64.deb
    Size/MD5 checksum:   534094 9c7af4af63a1e8fe9eefec8a47f12823
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_amd64.deb
    Size/MD5 checksum:   568666 ef8531b8cf9e8bf4ef56e9d3ca856c30
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch2_amd64.deb
    Size/MD5 checksum:   534050 12b89ff0b7b9401c53b92690bf271fa4
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_amd64.deb
    Size/MD5 checksum:  1217440 e62e69df8289b9faf7dc784aa36653fb

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_arm.deb
    Size/MD5 checksum:  1118112 c3596a761103d16762e93c33d7f6e058
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_arm.deb
    Size/MD5 checksum:   535328 033b84c6b155e0d3313d52e133293d3f
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_arm.deb
    Size/MD5 checksum:   503874 cd1650904a0f228c6b98af6e1bdac58f

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_hppa.deb
    Size/MD5 checksum:   596448 6f670915264fc88cdcf54d6f718271da
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_hppa.deb
    Size/MD5 checksum:   559828 3cd525f298dd4f95ddafc60fa00af2ad
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_hppa.deb
    Size/MD5 checksum:  1293898 32a6bc67694aab1fba397f9b746ec00d

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_i386.deb
    Size/MD5 checksum:  1127876 b720d23e84f19188a4a845a93e1afab5
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_i386.deb
    Size/MD5 checksum:   512088 7f4afa3a1edcc4d9d609ec4e91804e7d
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_i386.deb
    Size/MD5 checksum:   544222 ac00cab6f14766e6519106db934a346e

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_ia64.deb
    Size/MD5 checksum:   733448 741376eac279addd80f1a5a4151c0190
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_ia64.deb
    Size/MD5 checksum:   789836 1f324e98577f0813e0774aebdac4bf3c
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_ia64.deb
    Size/MD5 checksum:  1694506 8fb22f4e16d8829c972eb47d87326442

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_mips.deb
    Size/MD5 checksum:   593186 9429f09e56a17852ec0d4f1883a44418
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_mips.deb
    Size/MD5 checksum:   557174 ad2533c8d9f24818de213ec1ee9e563c
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_mips.deb
    Size/MD5 checksum:  1258326 faec7dd02f8997f5b61565d79b71dfe9

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_mipsel.deb
    Size/MD5 checksum:   556708 e9a23056291e49b07720dfa128cf4355
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_mipsel.deb
    Size/MD5 checksum:   592678 914d97a334c1e5d0c5da3419509053d7
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_mipsel.deb
    Size/MD5 checksum:  1263238 51892e3eef20b05efdedafd93dfb8b27

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_powerpc.deb
    Size/MD5 checksum:   533692 37d655f8f22d8e63fe57f707746d108c
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_powerpc.deb
    Size/MD5 checksum:   567296 c668c1a2296e5a54b4190608ae706564
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_powerpc.deb
    Size/MD5 checksum:  1206504 556c296f2825c508775b5c910ad7f385

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_s390.deb
    Size/MD5 checksum:   592970 6cfce6df2d58abd7e5002394221a0fff
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_s390.deb
    Size/MD5 checksum:  1284770 d60983cf66112e20a71441a8df3ce0ad
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_s390.deb
    Size/MD5 checksum:   557700 a400bbead94536ffd9e6434426307d8c

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch3_sparc.deb
    Size/MD5 checksum:   499754 c0dfefb92101b244c56221c32fd1170c
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch3_sparc.deb
    Size/MD5 checksum:  1103550 dbb8d030cfd1a5e4029177e1251f578e
  http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch3_sparc.deb
    Size/MD5 checksum:   531296 dd6dcf26a866c0590f4e8b746dc09bd4


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHhUctXm3vHE4uyloRAuD0AKDIe4vKOlDnBSB2qTpV7KHhGsPeQACfWdgs
AdPfywIwxYYP3rG84liTxdM=
=qN4+
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ